Health Privacy and HIPAA

DOJ received industry requests this month to scrutinize the Maryland Online Data Privacy Act (MODPA) and other state privacy measures as possibly burdening interstate commerce. The closely watched Maryland legislation takes effect Oct. 1. The chief privacy officer of one company that flagged MODPA told Privacy Daily that his business' main concern is the part of the law's unique data minimization requirement that bans sale of precise location data.

Although every state has a data breach notification law, each one imposes different regulations and reporting requirements, Emory Roane, associate director of policy at Privacy Rights Clearinghouse (PRC), said in a recent interview with Privacy Daily. While some protections exist at the federal level, a comprehensive breach law would help, as would data minimization principles, privacy pros added.

Some groups seek assurances that they won’t be covered by rules implementing the New Jersey Data Privacy Act, according to comments submitted to the New Jersey attorney general’s Division of Consumer Affairs by Sept. 2. Many other business sectors urged the division to withdraw or significantly overhaul draft rules released last May (see 2509120009), according to comments obtained by Privacy Daily (part one, part two, part three).

Health care providers must balance the benefits of deploying AI chatbots while ensuring legal safeguards are in place that protect patient privacy, said Womble Bond research consultant Amy Hill in a blog post Monday. In particular, they must comply with regulations within the Health Insurance Portability and Accountability Act (HIPAA), she added.

Though many digital health apps and online platforms fall outside the scope of the Health Insurance Portability and Accountability Act (HIPAA), courts and regulators are using other tools to expand enforcement against them when they share sensitive health data without consent, said Sheppard Mullin lawyers in a blog post.

The California legislature passed two laws about artificial intelligence and automated decision systems on Friday, the last day for legislators to pass bills. In addition, it approved a measure on age-verification signals. Gov. Gavin Newsom (D) has until Oct. 12 to sign or veto the bills.

HIPAA and other privacy regulations often don't help consumers make a monetary argument in court against health care firms that have experienced a data breach, said attorney Nick Palmieri in a blog post Tuesday. Unlike the Health Insurance Portability and Accountability Act (HIPAA), however, "consumer-fraud statutes can keep a case alive," he said.

Organizations outside of health care may feel less comfortable complying with a new Colorado law than entities already covered by the Health Insurance Portability and Accountability Act (HIPAA), Aleksandra Vold, a BakerHostetler health privacy attorney, told Privacy Daily.

A breach at an Ohio firm that helps patients obtain physician-certified medical marijuana cards may have exposed the sensitive information of more than 900,000 of its customers, a law firm investigating the incident said Tuesday.

Software marketing firm Cierant Corporation failed to safeguard customers' personally identifiable information (PII) and protected health information (PHI), which allowed their exposure in a 2024 breach, alleged a class-action lawsuit filed Thursday. Plaintiff Melissa Gifford brought the suit in the U.S. District Court for Connecticut on behalf of her minor child, whose health information was leaked.